Security Overview
PCIe 6.0/7.0 introduces comprehensive security features to protect against physical and logical attacks:
Key Security Technologies
- IDE: Integrity and Data Encryption
- TDISP: TEE Device Interface Security Protocol
- SPDM: Security Protocol and Data Model
- CMA-SPDM: Component Measurement and Attestation
Threat Model
PCIe security addresses multiple attack vectors:
| Threat | Description | Mitigation |
|---|---|---|
| Eavesdropping | Reading data from PCIe link | IDE Encryption |
| Tampering | Modifying data in transit | IDE Integrity (MAC) |
| Replay Attacks | Replaying captured packets | IDE Sequence Numbers |
| Rogue Devices | Untrusted device insertion | SPDM Authentication |
| Firmware Attacks | Compromised device firmware | CMA-SPDM Attestation |
Integrity and Data Encryption (IDE)
IDE provides link-level and selective encryption for PCIe traffic:
IDE Protection Features
- Encryption: AES-256-GCM for confidentiality
- Integrity: 96-bit MAC (Message Authentication Code)
- Replay Protection: Per-stream sequence numbers
- Key Management: Key refresh mechanisms
IDE Operation Modes
Link IDE
Protects all traffic on a link between two directly connected ports. Simpler to configure, covers entire link.
Selective IDE
Protects specific streams identified by Requester ID, Address, etc. Allows end-to-end protection through switches. Supports up to 255 IDE streams.
| Feature | Link IDE | Selective IDE |
|---|---|---|
| Scope | Entire link | Specific streams |
| Through Switches | No | Yes |
| Configuration | Simpler | More complex |
| Granularity | All or nothing | Per-stream |
| Use Case | Direct attach | VM isolation |
TEE Device Interface Security Protocol (TDISP)
TDISP enables secure assignment of devices to Trusted Execution Environments (TEEs):
TDISP Goals
- Secure device assignment to TEE/confidential VMs
- Protect device state from untrusted hypervisor
- Establish secure channel between TEE and device
- Support for SR-IOV Virtual Functions
TDISP Interface (TDI) States
- CONFIG_UNLOCKED: Initial state, device configurable
- CONFIG_LOCKED: Configuration locked, awaiting setup
- RUN: Secure interface active with TEE
- ERROR: Security violation detected
SPDM Integration
Security Protocol and Data Model (SPDM) provides:
- Device Authentication: Verify device identity via certificates
- Measurement: Report device firmware state
- Key Exchange: Establish secure sessions
- Secure Messaging: Encrypted management communication
SPDM messages are transported via PCIe DOE (Data Object Exchange) capability.
Component Measurement and Attestation (CMA-SPDM)
CMA enables verification of device firmware integrity:
- Device reports cryptographic measurements of its firmware
- Verifier compares against known-good values
- Supports multiple measurement blocks
- Enables secure boot chain verification
Attestation Flow
- Verifier requests measurements via SPDM GET_MEASUREMENTS
- Device returns signed measurement report
- Verifier validates signature and measurements
- Device authorized only if attestation passes